---
title: Vulnerability scanning
course: intro_pentest
section: Scanning
layout: lesson
---

Now that we’ve a list of IPs, open ports and services on each machine, it’s time
to scan the target for vulnerabilities. A vulnerability is a weakness in the
software or system configuration that can be exploited. Vulnerabilities can come
in many forms but most often they’re associated with missing patches. Vendors
often release patches to fix a known problem or vulnerability. Un-patched
software and systems often lead to quick penetration tests because some
vulnerabilities allow remote code execution. Remote code execution is definitely
of the hole grails of hacking.

It’s important to understand this step as the results will feed directly into
step 3 where we’ll gain access to the system. To scan systems for
vulnerabilities, we’ll use a vulnerability scanner. There are several good
scanners available to you but for this course we’ll be focusing on Nessus.

Nessus is a great tool an available for free, for a home user, from their
website you can download a full-fledged version of Nessus and get a key for
free. If you’re a going to use Nessus in a corporate environment, you’ll need to
sign up for the Professional Feed rather than the Home Feed. The Professional
Feed will run you about $100 a month. We’ll be using the Home version for this
course.

Installing Nessus is very straightforward. It’ll run on either Linux or Windows.
Nessus runs using a client/server architecture. Once set up, the server runs
quietly in the background and you interact with the server through a browser. To
install Nessus, you need to complete the following steps:

1. Download the installer from [www.nessus.org](https://www.nessus.org)
2. Register for a key on the Nessus website by submitting your e-mail address.
   The Nessus crew will e-mail you a unique product key that can be used to
   register the product.
3. Install the program
4. Create a Nessus user to access the system
5. Update the plug-ins.

One of the key components of Nessus are the plug-ins. A plug-in is a small block
of code that is sent to the target machine to check for a known vulnerability.
Nessus has literally thousands of plug-ins. These will need to be downloaded the
first time you start the program. The default installation will set up Nessus to
automatically update the plug-ins for you.

Once you’ve installed the Nessus server, you can access it by opening a browser
and entering "`https://127.0.0.1:8834`" in the URL (assuming you’re using Nessus
on the same computer you installed the server on). Don’t forget the "`https`" in
the URL as Nessus uses a secure connection when communicating with the server.
You’ll be prompted with a log-in screen. You can use the username and password
you created when installing the program.

Before we can use Nessus, we need to set up a scan policy. You can do this by
clicking on the "`Policies`" tab at the left sidebar. To set up a policy, you
need to choose between all the available options (such ash: Host Discovery,
Basic Network Scan, Advanced Scan etc…), once you chose, you need to provide a
name.

There are many options that you can use to customize your scan. For the purpose
of this course, we’ll use the defaults. Select "`My scans`" at the left sidebar,
click "`New Scan`" in the upper-right side of the screen, select what kind of
scan you want to perform (I’ll select "`Basic Network Scan`"). then set a name,
and specify each one of the targets to scan in the "`targets`" text area (i. e:
"`192.168.1.1/24`", "`h4ck1ngb00tc4mp.gq`", "`192.168.0.16`")

Once everything is filled, click the "`Save`" button on the lower right. Nessus
will provide you with information about the progress of your scan while it’s
running.

When Nessus finishes the scan, you’ll be able to review the results by clicking
on the "`Reports`" link in the left sidebar. The report will provide you with a
detailed listing of all the vulnerabilities that Nessus discovered. We’re
especially interested in vulnerabilities labeled as High. You should take time
to closely review the report and make detailed notes about the system. We’ll use
these results in the next step to gain access to the system.

Once we’ve completed port scanning and vulnerability scanning for each of our
targets, we should have enough information to begin attacking the system.
